During deployment of firebase cloud function v2 , I try to access secret environment variable which I declared in GCP UI.
I was granted a permission as secretmanager.version.access
, in fact after running cli command:
firebase deploy --only functions
,
I receive an error: Error: HTTP Error: 403, Permission 'secretmanager.secrets.setIamPolicy' denied for resource 'projects/{my-project}/secrets/{secret-name}' (or it may not exist)
.
Here is represented the code of function and how I am accessing a secret env variable:
import { initializeApp, getApps, getApp } from "firebase-admin/app";
import { getFirestore } from "firebase-admin/firestore";
import { onCall, HttpsError } from "firebase-functions/v2/https";
import jwt from "jsonwebtoken";
initializeApp();
const db = getFirestore();
const {sign,verify} = jwt;
export const inviteClientPerMail = onCall(
{
secrets: ["secret-name"],
region: "europe-west3",
cors: true,
enforceAppCheck: false
},
async (request) => {
"""function logic"""
...
console.log("Secret is: ", process.env.`secret-name`);
...
"""function logic"""
}
...
Is it an issue that is related to firebase or cloud platform? or how does Firebase CLI should see the permission that I have set in GCP platform?
As John Hanley suggested, you were granted permission. However, the cloud function is not using your identity. Which means the service account that is attached to the cloud function is missing the required permission (IAM Role). So, you need to grant them.
Follow below Steps and try accordingly :
Check which service account you are using for cloud functions . You can find the serviceAccountEmail: xxxxxxxxxxxx.gserviceaccount.com from the deployment information details of cloud function.
Check whether this service account has sufficient IAM privileges like (roles/secretmanager.secretAccessor) IAM role on a secret.
If these roles are not present then follow this documentation and give the required roles.